Chinese Hackers Exploited Recent Fortinet Vulnerability as a Zero-Day to Spread Malware

A suspect threat actor with ties to China exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a zero-day attack against a European government entity and an African-managed service provider (MSP).

Telemetry evidence gathered by Google-owned Mandiant indicates that the vulnerability was exploited as early as October 2022, nearly two months before patches were released.

In a technical report, Mandiant researchers stated, “This incident continues China’s pattern of exploiting internet-facing devices, specifically those used for managed security purposes (such as firewalls, IPSIDS appliances, etc.)”

The attacks involved the use of a sophisticated backdoor known as BOLDMOVE, a Linux variant of which was designed to operate on Fortinet’s FortiGate firewalls.

The in question intrusion vector relates to the exploitation of CVE-2022-42475, a heap-based buffer overflow flaw in FortiOS SSL-VPN that could lead to unauthenticated remote code execution via specially crafted requests.

Unknown hacking groups have exploited the vulnerability to target governments and other large organizations with a generic Linux implant capable of delivering additional payloads and executing commands sent by a remote server, Fortinet disclosed earlier this month.

The most recent findings from Mandiant indicate that the threat actor exploited the zero-day vulnerability to gain access to targeted networks for espionage operations.

“With BOLDMOVE, attackers developed not only an exploit but also malware that demonstrates an in-depth understanding of systems, services, logging, and undocumented proprietary formats,” the threat intelligence firm said.

The C-written malware is said to have both Windows and Linux variants, with the Linux version capable of reading data from a Fortinet-specific file format. Metadata analysis of the Windows variants of the backdoor indicates that they were compiled as early as 2021, even though no samples have been found in the wild.

BOLDMOVE is designed to perform a system scan and is capable of receiving commands from a command-and-control (C2) server, allowing attackers to perform file operations, spawn a remote shell, and relay traffic via the infected host.

Corroborating Fortinet’s report, an extended Linux sample of the malware includes additional features to disable and manipulate logging features to avoid detection.

The exploitation of zero-day vulnerabilities in networking devices, followed by the installation of custom implants, is consistent with previous Chinese exploitation of networking devices, according to Mandiant.

Why Trust Us?

Best Top Reviews Online was founded in 2018 to provide our readers with thorough, unbiased, and independent advice on what to buy. We now have millions of monthly users from all over the world and evaluate over 1,000 products per year.

The article above was written by the BestTopReviewsOnline team, which includes many of the US’s most knowledgeable technical experts. Our team includes well-known writers with extensive experience in mobile phones, computing, technology, photography, and other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus

Get more info



Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to As an Amazon Associate I earn from qualifying purchases.


Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of